why ‘not your CISO’?
It’s been six years since I first started studying cybersecurity, and three years in the cybersecurity industry working in various domains including secure software development, incident response, risk management etc. In these last six years, I have completed my bachelor’s in computer engineering, passed GIAC Security Essentially Certification, provisionally passed CISSP, and held a position of designated Information Security Officer (ISO). I will join the University of Maryland, College Park this fall to pursue my Master’s in Cybersecurity.
In these last six years, I learned a lot, experimented a lot, pivoted a lot, and also figured out a lot of problems in this industry. I will try to summarise a couple of them below:
- Not everything is P0.
- Risk Acceptance is not the solution.
- Don’t look for creativity when your organisation lack basic security controls.
- Phishing simulations are just a way to make your users more paranoid.
- Industry Standard compliance is just a way to bring more sales.
- Cybersecurity is much more than ethical hacking. Ethical hacking is not entire cybersecurity.
- A basic understanding of risk management is a must for every cybersecurity professional.
- The industry is also equally responsible for creating a job skill gap.
- Fancy jargon and technology will not take you anywhere if the passwords used in your organisation are still admin123, password 123 etc.
And there are a lot more. I will be writing about these problems. The aim is not to identify just the problems, the whole world is doing this. I will try to write solutions as well. The problems are real and are expected to grow exponentially. The idea is to bring a change at the ground level, not just write about it. I don’t know if I will be successful enough to bring this change, but I would be more than happy if I am able even to create a spark.
Why should you follow me?
I would say just give it a chance, read and drop your feedback. And then decide whether you want to follow or not. I will be blunt, why you would listen to me, you don’t even listen to your own CISO.
That’s why I am ‘not your CISO.’ I am just here to publish my unsolicited advice.
